HAKIN9 EXTRA – ROOTKIT 06/2011

Rootkits Hidden in Hardware of PCby Anibal SaccoLet’s think like an attacker for a second. There are multiple applications dedicated to find malicious code both in user and in kernel space. So new places have to be found to deploy your code while keeping it stealthy.

TDSS aka TDL – Chronologyby Eugene MelnichenkoAn attempt could have been made to reconcile the inconsistencies shown above; however, the rootkit uses several kernel threads to check if rootkit hooks are present and to restore them if required.

How to Write a Good Rootkit: a Different Approachby Valerio LupiYou can hide your startup registry key (depending on how do you autostart your DLL which needs to be reinjected in EXPLORER.EXE at login time) by not creating the registry key at all, and doing that at shutdown only (catching the WM_QUERYENDSESSION/WM_ENDSESSION message in your rootkit core).

Detecting Security Intrusions: Kernel-mode Rootkitsby Pablo BravoThe proposed technique detects any software module (rootkit) which patches the System Service Description Table or manipulates the process list in Windows systems in order to hide processes. The main idea is to gain execution when the code or data of the operating system is being patched.

Strong Approach to Hardware-VM Rootkits Detectionby Igor KorkinTrusted platform module (TPM) application cannot save the situation as the VMM can emulate TPM. The fact that a malware VMM can be loaded from BIOS and survive program updates of the BIOS, aggravates the situation.

The Darkness of Social Exploitationby Rakesh SharmaThe biggest cyber threat is people not understanding the value of information. It might sound simplistic but that is really all it is. There is a darkness in everyone, the people who understand the power of information, know exactly how dangerous it can be when put to misuse.

Basic Facebook Privacy Breechesby Jose Ignacio OrlickiBesides native privacy issues, as any web page FB has been a target of cross-site scripting (XSS), SQL code injection, phishing and any attack imaginable for the web vector. Most of the vulnerabilities are available not directly through FB but through the FB platform.

Analysis of ‘IM’ Spreading Techniquesby Joseph FouldsThere should be greater pressure for instant message service providers to develop prevention systems to ensure that their services are not abused in order to facilitate the spread of malware. Although some malware samples do have primitive or even moderately advanced IM spreading techniques, we are yet to see any samples ‘in the wild’.